Similar presentations

1
HIPAA Compliance and Social Media Concerns September 2013 Presenter: Jennifer A. Dukarski of Butzel Long

2
EVERYTHING HAS A PRICE: SOCIAL MEDIA IN THE DIGITAL AGE HIPAA Compliance and Social Media Concerns

3
Professional Branding in the Digital Age Digital media creates virtually limitless opportunities to promote and protect your brand and products…

4
Professional Branding in the Digital Age… continued … while leaving an almost limitless opportunity for employees, customers and others to destroy that brand

5
Because the internet comes with a price… Online interaction differs from face-to-face communication as people are prone to behave at their worst and forget about consequences. This is the Online Disinhibition Effect! You don’t know me (dissociative anonymity) You can’t see me (invisibility) You won’t see me until later (asynchronicity) It’s all going on in my head (solipsisatic introjection) It’s just a game (dissociative imagination) There’s no cops (minimizing authority) The Online Disinhibition Effect, John Suler (2004)

6
Why Digital Media Matters: Consumers Use Social Media 42% use social media to access health-related reviews More than 80% of year olds would share health information through social media Almost half (45%) of individuals from would share health information over social media Price Waterhouse Cooper HRI Consumer Survey, 2012

7
Why Digital Media Matters: What an Employer Does Has Consequences We asked or encouraged an employee to use Social Media. – Social media is becoming inseparable with some job functions. – Some individuals are asked to “host the company account” or post for the office. We have “deep pockets” and an offended party sues us, too. – For example, NBA Referee Bill Spooner sued AP Reporter Jon Krawczynski and the Associated Press for comments surrounding a questionable call.

8
THE INTERSECTION OF SOCIAL MEDIA, HIPAA AND BAD JUDGMENT HIPAA Compliance and Social Media Concerns

10
Leaking PII and PHI is easier than you think… California, April 9, 2010: Nurse photographs stabbing victim and puts his image (including his face) on Facebook Westerly Hospital, Rhode Island, April 21, 2011: Physician tells stories of Emergency Room experiences on Facebook, including details that may allow a third party to determine the individual involved Martin Memorial Center, Florida: employees were disciplined after taking and sharing photos of a shark bite victim Palisades General Hospital: “George Clooney is here” Medical Blogs: over 17% of blogs by professionals may contain sufficient information to establish the identity of a patient

11
I Lost My Data on the Internet: LabMD and the Federal Trade Commission 8/29/2013: The FTC files a complaint against LabMD for failing to protect medical and other sensitive information over peer-to-peer network (software commonly used to share music, videos and other materials). The complaint alleged that LabMD (who performs medical testing for consumers nationwide) did not take reasonable and appropriate measures to prevent unauthorized disclosure of sensitive consumer data, including PHI.

12
THE RISKS OF BRING YOUR OWN DEVICE HIPAA Compliance and Social Media Concerns

13
What is Bring Your Own Device? Bring Your Own Device (BYOD) is the policy of allowing employees to bring their own mobile devices (laptops, tablets, smart phones, etc.) to the workplace BYOD also may include use of non-company and document sharing (Drop Box / SharePoint)

16
Breaches: BYOD heightens the risk Source: Health Information Privacy/Security Alert Analysis of HHS Office for Civil Rights Data Paper Records accounted for 116 incidents and were involved in 5 major breaches Laptops accounted for 111 breaches and were involved in 15 other issues Portable Electronic Devices (smart phones, iPads, etc.) accounted for 69 breaches and played a roll in 11 other cases Network Servers were the sole cause of 46 breaches and were involved in 13 other cases Business Associates accounted for 103 breaches, the equivalent of 1 of every 9 incidents

17
It may feel like the Wild West… When implementing a strategy to deal with Digital Media, organizations should consider all of the legal risks involved: Other Potential Legal Constraints – Media, Privacy and Communications Reputation management Stored Communications Act – Labor and Employment Wage and Hour concerns Hiring and Firing – Intellectual Property Patents, Trademarks and Copyright Domain Names and Social Media Accounts – Contractual and Ownership Rights Ownership of social media followers, contacts, content and websites – Endorsement and Other Regulatory Concerns

18
… But a preventative approach can mitigate the risks Social Media Use Strategies – Implement or Review and Audit your BYOD Policy – Review and Revise or Adopt a Social Media Policy – Review Your Employee Handbook Data Security Strategies (LabMD Takeaways) – Implement and maintain a comprehensive data security program which includes addressing Business Associate risk – Use readily available measures to identify commonly known and reasonably foreseeable security risks and vulnerabilities – Use adequate measures to prevent employees from accessing personal information not needed to perform their jobs – Train employees on basic security practices – Use readily available measures to prevent and detect unauthorized access to personal information